top of page

BPO and Cross-Border DataTransfer: A Data Privacy Concern

Data Transfer


The Indian BPO sector began its journey in the early 1990s with the liberalization of the Indian economy. The entry of multinational companies and the adoption of information technology laid the groundwork for the industry's growth. Over the years, supportive government policies, investment in infrastructure, and a

growing pool of skilled professionals fueled the industry's expansion. By the early 2000s, India had firmly established itself as a preferred destination for outsourcing.

The Growth and Evolution of the BPO Sector

The BPO sector has been a major employment generator, providing jobs to millions of young professionals. It has contributed substantially to India's GDP, with cities like Bangalore, Hyderabad, and Pune becoming key hubs. Additionally, the growth of the BPO industry has spurred urbanization and development in tier-2 and tier-3 cities, creating a ripple effect on local economies. Initially focused on call centers and customer support, the BPO industry in India has diversified into various high-value services, including Knowledge Process Outsourcing (KPO), IT services, financial services, healthcare, and legal process outsourcing. This diversification has enhanced the industry's resilience and growth prospects. As the industry evolves, embracing new technologies and expanding service offerings will be key to

maintaining its leadership in the global BPO market.

Importance of Data Privacy in BPO

Nature of Data Handled

BPO firms handle vast amounts of Personal Identifiable Information (PII), including financial records, medical information, and other sensitive data. The handling of such data necessitates stringent data privacy measures to prevent unauthorized access and breaches.

Risks of Data Breaches

Data breaches can lead to severe consequences, including financial losses, legal penalties, and reputational damage. For BPO companies, maintaining robust data security protocols is crucial to avoid these risks and protect client information.

Building Trust with Clients

Ensuring data security is a competitive advantage for BPO firms. Clients are more likely to trust and continue business relationships with companies that demonstrate strong data protection practices and compliance with international data privacy standards.

Indian Data Privacy Laws

Data protection has increasingly become a significant issue in India since the Supreme Court recognized privacy as a fundamental right in the landmark Puttaswamy case in 2017. The Digital Personal Data Protection Act and the extensive body of jurisprudence on data protection in India originate from the

Supreme Court's decision in Justice K.S. Puttaswamy and Anr v. Union of India and Ors (Writ Petition (Civil) No. 494 of 2012) ('Puttaswamy').

In the Puttaswamy case, the Supreme Court unanimously ruled that the right to privacy is an intrinsic part of the right to life and personal liberty under Article 21 of the Constitution of India ('the Constitution'). This included both a negative obligation to refrain from violating the right to privacy and a positive obligation to take necessary measures to protect it. The Puttaswamy verdict reshaped Indian privacy law, influencing the interpretation of existing privacy regulations and paving the way for a robust common law tort of privacy violation independent of statutory provisions.

The Supreme Court further clarified that any law infringing on the right to privacy would undergo constitutional scrutiny and must satisfy the three-fold test of legality, necessity, and proportionality. Following this landmark decision, there were several legislative efforts between 2018 and 2022 to establish a comprehensive data privacy law. In 2023, the Indian Parliament enacted the Digital Personal Data

Protection Act 2023 (DPDPA).

Key Provisions of the DPDPA

The DPDPA specifically addresses digital personal data, imposing duties on entities classified as 'data fiduciaries' and establishing rights for 'data principals.' It also permits the outward transfer of data from India. Aligning with international standards, the Act outlines lawful grounds for data processing, data

subject rights, and requirements such as the appointment of a consent manager, vendor management, and data security.

Definition of Personal Data: Clear definitions of what constitutes personal and sensitive personal data.

Consent Requirements: Mandates obtaining explicit consent from individuals for processing their


Data Processing Limitations: Specifies the purposes for which data can be processed and stored.

Rights of Data Subjects: Individuals have rights to access, correct, and delete their personal data.

Data Localization Mandates: Requires that certain categories of personal data be stored within India.

Cross-Border Data Transfer: Section 16 of the DPDPA allows the free transfer of personal data to any country or territory outside India except those specifically blacklisted by the central government.

Criteria for Permitted Data Transfers

Under the GDPR, data transfers are permissible if the receiving jurisdiction or entity ensures sufficient protection for the personal data of European residents. Transfers are allowed to countries that the European Commission has deemed to provide adequate protection or between entities in jurisdictions adhering to binding corporate rules or appropriate safeguards. These articles outline the principles for evaluating the permissibility of cross-border data transfers.

In contrast, the DPDPA does not specify criteria for determining which countries will be blacklisted. It simply lists the countries to which data transfers will be restricted without providing justifications of adequacy or mechanisms akin to standard contractual clauses or binding corporate rules that would allow data transfers to entities in prohibited jurisdictions.

Previously, India's data protection regime required compliance for transferring sensitive personal data (such as passwords, financial information, health records, sexual orientation, medical history, and biometric information). With the new Act, all types of personal data, including general information like names, addresses, email addresses, and phone numbers, may be subject to cross-border transfer restrictions.

Extraterritorial Applicability and Implications

The Act is designed to have extraterritorial reach, applying to entities outside India. Foreign companies collecting personal data from Indian residents while offering goods and services must comply with the Act.

If a country is blacklisted, transferring personal data to companies in that country will be prohibited. This restriction could also extend to the initial collection of data by companies in blacklisted countries, potentially preventing these companies from conducting business in India, especially through online models as basic personal data is required for providing goods or services.

A notable aspect is that the Act's restrictions do not seem to cover subsequent transfers of personal data.Companies might exploit this loophole by transferring data to non-blacklisted countries and then to blacklisted ones. It remains to be seen how the government will enforce these cross-border transfer restrictions.

Lastly, sectoral laws imposing cross-border transfer restrictions will continue to apply alongside the Act. Even if the government permits data transfers to a specific country, sectoral laws may still restrict the transfer or require data localization, rendering the transfer impermissible. Sectoral regulators often settransfer restrictions for data specific to their sectors, including both personal and

non-personal datasets.

Data Localization (Sectoral Requirement)

Several key sectoral regulations outline specific requirements for data localization. India's central bank, the Reserve Bank of India (RBI), mandates through its Notification on Storage of Payment Systems Data that payment system service providers must store all data related to their payment systems within India.

Similarly, the Department of Telecommunications (DoT) requires telecom operators to keep user and accounting information of telecom subscribers domestically.

The Securities and Exchange Board of India (SEBI) has issued Circular No.

SEBI/HO/MIRSD2/DOR/CIR/P/2020/221 advising financial sector organizations utilizing Software as a Service (SaaS) solutions to ensure critical data remains within India’s legal boundaries.

Under the Insurance Regulatory and Development Authority of India Act 1999 and Regulation 3(9) of the IRDAI (Maintenance of Insurance Records) Regulations 2015, it is mandated that all records, including electronic ones related to policies issued and claims made in India, must be stored in data centers located within India.

In April 2022, the Indian Computer Emergency Response Team (CERT-In) issued Direction No. 20(3)/2022-CERT-In, which mandates all service providers, intermediaries, data centers, body corporates, and Government organizations to enable and securely maintain logs of all their ICT systems for 180 days

within India.

Moreover, the Companies (Accounts) Rules 2014, as amended, require that electronic backups of a company’s books of accounts and other papers, even if maintained outside India, must be stored on servers physically located in India with daily backups. Additionally, these electronic records must always be accessible from within India.

The National Health Authority (NHA) issued a Draft Revised Health Data Management Policy on April 23, 2022, inviting feedback from stakeholders by May 21, 2022. This draft policy mandates that personal data must not be stored outside the geographical boundaries of India, adhering to relevant legal provisions.

Current laws do not have specific regulations for employee data. Therefore, personal data or sensitive personal data related to employees is treated similarly to any other personal information or sensitive personal data (SPDI) of individuals. Compliance requirements for employee data follow the same guidelines.

Exemptions under DPDPA

Examples of processing activities that are exempt from certain restrictions, along with scenarios where both government and private entities might utilize these exemptions, include:

Crime Prevention and Investigation:- Indian police and law enforcement agencies will not face restrictions on cross-border data transfers to specified jurisdictions for international criminal investigations or extraditions. Private companies may also use this exemption for transferring data during internal investigations or fraud cases.

Legal Rights Enforcement:- Cross-border data transfer restrictions will not impede transfers necessary to enforce legal rights, such as in property disputes, matrimonial issues, immigration cases, and financial claims.

Contractual Processing with Foreign Entities: Data transfer restrictions do not apply to processing carried out under contracts with foreign entities. This is particularly relevant for the Indian outsourcing industry, which processes non-Indian personal data for foreign clients.

Mergers and Acquisitions:- Indian companies involved in legally sanctioned mergers, demergers, acquisitions, or similar arrangements with foreign companies can transfer employee and other personal data, even to jurisdictions where data transfers are otherwise restricted.

Financial Investigations:- Restrictions on data transfers will not hinder financial institutions from transferring personal data to assess the financial status of defaulting customers in specified jurisdictions.

Regulatory and Judicial Functions:- Regulatory authorities can transfer personal data as needed for crossborder enforcement, regulation, or supervision, regardless of data transfer prohibitions to certain jurisdictions.

Recommended Actions for Organizations

In the absence of clarity about the conditions of data transfer requirements, it would be advisable for organizations in India to follow GDPR requirements for cross-border data transfer, which are comprehensive.

Key Requirements for Cross-Border Data Transfers

Adequate Level of Protection: Personal data can only be transferred to countries or entities that provide an adequate level of protection. This adequacy is determined by the Indian government, which assesses whether the foreign jurisdiction's data protection laws offer comparable safeguards to those in India.

Standard Contractual Clauses (SCCs):- In the absence of an adequacy decision, companies can rely on Standard Contractual Clauses. These are predefined contractual terms that bind the data exporter and importer to adhere to stringent data protection standards. SCCs provide a legal mechanism to ensure that

personal data transferred outside the border receives the same level of protection as it would domestically.

Binding Corporate Rules (BCRs): For multinational corporations, Binding Corporate Rules offer an alternative to SCCs. BCRs are internal policies adopted by multinational groups to facilitate crossborder data transfers within the same corporate family.

Explicit Consent:- Another route for lawful data transfer is obtaining explicit consent from the data subject. The consent must be informed, specific, and unambiguous, indicating the data subject's agreement to transfer their personal data to a foreign jurisdiction. Businesses must ensure that the data subject understands the potential risks involved in such transfers.

Legitimate Interests and Legal Obligations:- In certain circumstances, cross-border data transfers can be justified based on legitimate interests pursued by the data controller, provided these interests are not overridden by the data subject's rights and freedoms. Additionally, transfers required to meet legal obligations or enforce contracts can also be permissible under the DPDP Act.

The legislation also established the notion of a key data fiduciary, referring to an entity required to meet higher compliance standards due to its handling of large volumes of data processing, high-risk data, or functioning within a politically sensitive sector. The central government retains the authority to impose

further compliance obligations on these key data fiduciaries. Consequently, it is plausible that the government might leverage this authority to limit the transfer of personal data by key data fiduciaries to foreign countries or specified regions.

Practical Steps for Compliance

Data Mapping and Classification:- Businesses should start by mapping out the data flows within their organization, identifying which data sets are transferred across borders. Classifying data based on sensitivity and criticality helps in applying appropriate safeguards.

Implementing Robust Security Measures:- Ensuring data security during transfer is paramount. Businesses must adopt encryption, access controls, and other security measures to protect personal data in transit and at rest.

Conducting Data Protection Impact Assessments (DPIAs):- DPIAs are essential for assessing the risks associated with cross-border data transfers. These assessments help identify potential vulnerabilities and implement mitigating measures to protect data subjects' rights.

Regular Audits and Compliance Checks:- Continuous monitoring and periodic audits are crucial to ensure ongoing compliance with data protection laws. Businesses should establish mechanisms to regularly review their data transfer practices and update policies as needed.

Training and Awareness Programs:- Educating employees about data protection requirements and best practices is vital. Regular training sessions can help build a culture of compliance and ensure that all staff members understand their roles and responsibilities in safeguarding personal data.


As businesses navigate the complexities of cross-border data transfers, understanding and complying with India's DPDP Act is essential to avoid legal pitfalls and maintain customer trust. By implementing robust data protection measures and adhering to the prescribed legal requirements, companies can ensure the secure and lawful transfer of personal data across borders, fostering a safe and trustworthy digital environment.

On the other hand, the Act establishes a broad and basic framework for a comprehensive data protection system in India. The specifics regarding its implementation and enforcement are expected to be detailed by the Government through rules and regulations. The actual impact of the Government's broad authority to limit data transfers to specific jurisdictions will become clear once these rules are issued under the Act. The application of exemptions and practical considerations will likely be clarified with the introduction of these regulations.


Follow LexTalk World for more news and updates from International Legal Industry.



bottom of page